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(54) System and method for generation of a signature certificate in a public key infrastructure 



(57) System and method for generation of a signa- 
ture certificate in a Public Key Infrastructure (PKI) that 
includes sending a new user a first piece of information 
required for generation of a signature certificate for the 
new user. A personal registration authority is sent a sec- 
ond piece of information required for generation of a sig- 
nature certificate for the new user. The second piece of 
information is delivered to the new user by the personal 
registration authority in a face-to-face meeting. The first 



piece of information and the second piece of information 
are provided to a registration authority by the new user. 
A key pair is generated for the new user that includes a 
public key and a private key. The public key is provided 
to a certification authority. A signature certificate is gen- 
erated for the new user by the certification authority. The 
certification authority digitally signs the signature certif- 
icate. The digitally signed signature certificate is then 
stored in a database. 
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Description 

BACKGROUND 
Field of the Invention 

[0001] This invention relates to Public Key Infrastruc- 
tures (PKI), and more specifically to generation of sig- 
nature certificates in a PKI. 

Background Information 

[00021 A public key infrastructure (PKI) is a collection 
of servers and software that enables an organization, 
company, or enterprise to distribute and manage thou- 
sands of unique public/private cryptographic keys in a 
manner that allows users to reliably determine the iden- 
tity of the owner of each public/private key pair. When 
each member of an enterprise has a unique key, paper- 
based business processes may be transitioned to an on- 
line, electronic equivalent. Public/private key pairs have 
the property that for any given public key there exists 
one and only one private key, and vice versa. Public key 
cryptography (i.e., the ability to publicly distribute the en- 
cryption key) can be used to digitally sign documents. If 
a particular message can be decrypted using one mem- 
ber of the key pair, then the assumption is that the mes- 
sage must have been encrypted using the other mem- 
ber. If only one person knows the key used to perform 
the encryption of a document in the first place, then the 
recipients that can decrypt the document can be sure 
that the sender of the document must be that person. 
[0003] However, for a digital signature to be meaning- 
ful, the recipient of an object signed with the digital sig- 
nature must first be able to reliabiy determine the owner 
and integrity of the key used to sign the object. Public 
infrastructures accomplish this using an electronic doc- 
ument called a digital certificate. Certificates may con- 
tain information identifying the owner of the key pair, the 
public component of the pair, and the period of time for 
which the certificate is valid. The certificate may also 
identify technical information about the key itself, such 
as the algorithm used to generate the key, and the key 
length. Certificates are generated by organizations, 
companies, or enterprises that are responsible for veri- 
fying the identity of individuals (or in some instances or- 
ganizations) to which certificates are issued. The certi- 
fying organization is known as a certificate authority. 
The certificate authority signs each certificate using a 
private key known only to the certificate authority itself. 
This allows users of the PKI to verify both the integrity 
of the certificate and the identity of the authority that is- 
sued it. By issuing a certificate, a certificate authority is 
stating that it has verified that the public key that appears 
in the certificate (and, by extension, the corresponding 
private key) belongs to the individual listed in the certif- 
icate. The integrity with which the registration process 
operates is, therefore, of great importance. The process 



must provide mechanisms for reliably identifying the in- 
dividual and for verifying that the public key listed in the 
certificate belongs to that individual. 
[0004] Fig. 1 shows a block diagram of an example 

5 PKI system architecture. Current PKIs that provide 
strong authentication of user identity accomplish this via 
the use of a local registration authority officer (LRAO) 
12. LRAO 12 operates at a work station or server plat- 
form 14 that runs a local registration authority software 

io application 16. Server platform 14 may be any known 
computing device that may serve as a server, e.g., com- 
puter, workstation, etc. The local registration authority 
application 16 interfaces to other server platforms that 
may contain applications such as a certificate authority 

15 application 18, a registration authority application 20, 
and/or a key recovery authority application 22. Each ap- 
plication may be on the same server platform, or on sep- 
arate individual server platforms 14. A user 10, that is 
using or desires access to the PKI system architecture, 

20 accesses the system via a web browser 22 on a client 
platform 24. A hardware token 26, such as a smart card, 
may also be operably connectable to client platform 24. 
Typically in current systems, user 1 0 presents a photo 
I.D. or other documentation to the local registration au- 

25 thority officer 1 2 in order to authenticate the user's iden- 
tity. Local registration authority officer 12 then uses 
workstation 14 and local registration authority applica- 
tion 16 to signal a registration authority application 20 
to register new user 10 in the system. Local registration 

30 authority application 16 may be off-the-shelf product 
software that comes typically bundled with a certificate 
authority application 18, registration authority applica- 
tion 20, and key recovery authority 22 software. 
[0005] A public/private key pair is generated by either 

35 the local registration authority application 1 6 or the reg- 
istration authority application 20 (depending on prod- 
ucts chosen and depending on how they've been con- 
figured). The public key is sent to certificate authority 
application 18 to be signed, thereby, generating a cer- 

40 rJficate for new user 10. A backup copy of the private 
key may also be sent to key recovery authority applica- 
tion 22, however, normally the private key is kept on a 
token 26, or at client platform 24 by user 10. Once the 
public key is sent to a certificate authority 1 8 and signed, 

45 a user certificate is generated and provided to a local 
registration authority server. Local registration authority 
officer 12 copies the certificate (including the private 
key) onto a floppy disk, hardware token, or other storage 
medium, and then provides the certificate and private 

so key to the user. 

[0006] Current public key infrastructures for generat- 
ing digital certificates have some problems. First, for 
large organizations, the cost to implement systems sim- 
ilar to that shown in Fig. 1 are high due to the need for 

55 multiple local registration authority officers to handle the 
large number of users that may reside at various loca- 
tions. Generally, certificate requests are submitted via 
some method (paper, email, web, etc.) to the local reg- 
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istration authority. The certificate requests are queued 
for working off by the local registration authority officers. 
Current systems are inefficient because request queues 
will be subject to human intervention. The normal certif- 
icate issuance process involves actions by the request- 
er and the local registration authority. After some time 
and effort, the requester receives the digital certificate. 
This time may be dependent on the number of requests 
in the queue and/orthe efficiency of the local registration 
authority officers. 

[0007] Moreover, current systems are less secure be- 
cause a relationship between the requester and the lo- 
cal registration authority officer does not necessarily ex- 
ist and, therefore, presents opportunity for an intruder 
to exploit. In addition, current systems are less secure 
since without a manager of the user (or some other in- 
dividual who may personally know the user), in the proc- 
ess flow, there is no definitive proof who the pin and 
password (required for generation of digital certificates) 
given to the user Is issued to. 

[0008] Therefore, a need exists for a PKI system and 
method that provides an inexpensive and reliable mech- 
anism for implementing a face to face meeting as part 
of a new user registration process for generation of a 
digital certificate for the user. 

SUMMARY 

[0009] The present invention is directed to a method 
for generating a signature certificate in a Public Key In- 
frastructure (PKI). Data about a new user is entered into 
a database. The new user may request access to an 
enterprise server. A personal registration authority que- 
ries the database for new user information. The new us- 
er is sent a first piece of information required for gener- 
ation of a signature certificate for the new user. A per- 
sonal registration authority is sent a second piece of in- 
formation required for generation of a signature certifi- 
cate for the new user. The second piece of information 
is delivered to the new user by the personal registration 
authority in a face-to-face meeting. The first piece of in- 
formation and the second piece of information are pro- 
vided to the registration authority by the new user. The 
new user is registered by the registration authority. A 
key pair for the new user that includes a public key and 
a private key are generated. The public key is provided 
to a certification authority. A signature certificate for the 
new user is generated and digitally signed by the certi- 
fication authority. The signed signature certificate that 
includes the public key is sent to the database. 
[001 0] The present invention is fu rther directed to an 
article comprising a storage medium having instructions 
stored therein, the instructions when executed causing 
a processing device to perform: querying a database for 
new user information; sending the new user a first piece 
of information required for generation of a signature cer- 
tificate for the new user; sending a personal registration 
authority a second piece of information required for gen- 



eration of a signature certificate for the new user; receiv- 
ing the first piece of information and the second piece 
of information from the new user; registering the new 
user; and signaling a client platform to generate a key 
s pair for the new user comprising a public key and a pri- 
vate key. 

[001 1 1 The present invention is also directed to a sys- 
tem for generating a signature certificate in a Public Key 
Infrastructure (PKI). The system includes: one or more 
10 servers operably connected to a network; a database 
operably connected to the network where the database 
contains information on at least one user; a directory op- 
erably connected to the network where the directory 
contains the same information as the database but pro- 
's vides faster access to the information; one or more client 
platforms operably connected to the network where the 
one or more users requests access to the one or more 
servers from the one or more client platforms; and a reg- 
istration web server operably connected to the network 
20 where the registration web server sends the new user 
a first piece of information required for generation of a 
signature certificate for the new user and also sends a 
personal registration authority a second piece of infor- 
mation required for generation of a signature certificate 
25 for the new user. The second piece of information is de- 
livered to the new user by the personal registration au- 
thority in a face-to-face meeting. The first piece of infor- 
mation and the second piece of information are used by 
the new user in a process for generation of public and 
30 private keys and a signature certificate for the new user. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0012] The present invention is further described in 
35 the detailed description which follows in reference to the 
noted plurality of drawings byway of non-limiting exam- 
ples of embodiments of the present invention in which 
like reference numerals represent similar parts through- 
out the several views of the drawings and wherein: 

40 

Fig. 1 is a block diagram of an example PKI system 
architecture; 

Fig. 2 is a block diagram of an exemplary system 
architecture in which PKI processes may be prac- 
45 ticed according to an example embodiment of the 
present invention; and 

Fig. 3 is a flow chart of an example process for gen- 
eration of a signature certificate in a public key in- 
frastructure according to an example embodiment 
so of the present invention, 

DETAILED DESCRIPTION 

[0013] The particulars shown herein are by way of ex- 
55 ample and for purposes of illustrative discussion of the 
embodiments of the present invention. The description 
taken with the drawings make it apparent to those skilled 
in the art how the present invention may be embodied 
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in practice. 

[0014] Further, arrangements may be shown in block 
diagram form in order to avoid obscuring the invention, 
and also in view of the fact that specifics with respect to 
implementation of such block diagram arrangements is 
highly dependent upon the platform within which the 
present invention is to be implemented, i.e., specifics 
should be well within purview of one skilled in the art. 
Where specific details (e.g., circuits, flowcharts) are set 
forth in order to describe example embodiments of the 
invention, it should be apparent to one skilled in the art 
that the invention can be practiced without these specific 
details. Finally, it should be apparent that any combina- 
tion of hard-wired circuitry and software instructions can 
be used to implement embodiments of the present in- 
vention, i.e., the present invention is not limited to any 
specific combination of hardware circuitry and software 
instructions. 

[0015] Although example embodiments of the present 
invention may be described using an example system 
block diagram in an example host unit environment, 
practice of the invention is not limited thereto, i.e., the 
invention may be able to be practiced with other types 
of systems, and in other types of environments (e.g., 
servers). 

[001 6] Reference in the specification to "one embod- 
iment" or "an embodiment" means that a particular fea- 
ture, structure, or characteristic described in connection 
with the embodiment is included in at least one embod- 
iment of the invention. The appearances of the phrase 
"in one embodiment" in various places in the specifica- 
tion are not necessarily all referring to the same embod- 
iment. 

[001 7] Fig. 2 shows a block diagram of an exemplary 
system architecture 100 in which Public Key Infrastruc- 
ture (PKI) processes may be practiced according to an 
example embodiment of the present invention. The 
present invention is not limited to the system architec- 
ture 1 00 shown in Fig. 2. The boxes shown in Fig. 2 rep- 
resent entities that may be hardware, software, or a 
combination of the two. The entities are operably con- 
nected together on a network. Entities not shown as be- 
ing connected to the network represent one or more hu- 
man beings that perform the function denoted inside the 
box. 

[0018] System architecture 100 includes Data Entry 
1 02 which performs a data entry function for Authorita- 
tive Database 104. Authoritative Database 104 is resi- 
dent on server platform 106. A server platform 106 is 
referred to in this description but it should be understood 
that the present invention is not limited to any particular 
server architecture. Server platform 1 06 may be, for ex- 
ample, UNIX or Windows NT servers. Authoritative da- 
tabase 1 04 contains information about members of the 
group or enterprise (e.g., company) for which PKI serv- 
ices in accordance with the present invention may be 
performed. The present invention is not limited by the 
structure of the group or enterprise for which information 



is stored in the authoritative database 1 04. The informa- 
tion contained in Authoritative database 104 may in- 
clude, for example, the name, address, telephone num- 
bers, manager's name, employee identification, etc., of 

5 the members of the group or enterprise. Directory 108 
contains the same information contained in database 
104, but is optimized for fast look-up of the information 
stored therein rather than fast data entry. The informa- 
tion contained in Directory 1 08 may be accessed faster 

w than accessing the information from database 104. Di- 
rectory 1 08 functions similar to an on-line quickly acces- 
sible phone book, containing reference information 
about the members of the group or enterprise stored in 
authoritative database 104. 

is [0019] Certificate authority 110 may be conventional 
off-the shelf software executed on server platform 106. 
Certificate authority 1 1 0 provides storage of certificates 
and related information. This will be described in more 
detail hereinafter. Registration authority 112 may also 

20 be off-the sherf software executable on server platform 
1 06. Registration authority 112 will also be described in 
more detail hereinafter. Key recovery authority 114 may 
also be off-the shelf server software executable on Serv- 
er Platform 1 06, and may provide the function of recov- 

25 ering keys (e.g., archived or lost keys) for members of 
the group or enterprise. 

[0020] A Windows 2000 Domain Certificate Authority 
(CA) 116 is shown with a dotted line connection to the 
network and may or may not be part of a system accord- 
so ing to the present invention. Windows 2000 is able to 
use PKI certificates for network single sign-on, but Win- 
dows 2000 is designed to use only the Windows Certif- 
icate Authority Windows. Therefore, a system according 
to the present invention may include a conventional Cer- 
35 tif bate Authority 1 1 0 as well as a 2000 Domain CA 116. 
[0021 J Legacy server 1 1 8 executes legacy application 
programs 120. Legacy server 118 may be, without lim- 
itation, a main frame, mini-computer, workstation or oth- 
er server capable of hosting legacy software applica- 
40 tions. Legacy software applications generally may not 
be designed to be inherently interoperable with a PKI. 
Legacy applications 1 20 may be accessible on the client 
side by a custom client 128 such as an emulator or cus- 
tom database Graphic User Interface (GUI). Examples 
45 of emulators are terminal emulators of an IBM 3270 or 
terminal emulators of a vt100. 
[0022] Registration web page 1 22, which may be one 
or more pages, functions as the user interface to system 
architecture 100 shown in Fig. 1 . Web Server 124 is a 
so software application that serves Web Pages (such as 
web page 1 22) or other HTML outputs to a web browser 
client (such as web browser 126). Web Server 124 may 
be any software application that serves Web Pages or 
HTML outputs such as, for example, Apache, Microsoft 
55 Internet Information Server application, etc. 

[0023] Web browser 1 26 is resident on client platform 
128 which may be any user computer or computing de- 
vice. Web browser 126 may be a client software appli- 
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cation for browsing web pages such as, for example, 
HTML protocols, XML protocols, or other protocols. 
Web browser 126 may be programmed to operate with 
PKI certificates issued by certificate authority 110. Ex- 
amples of web browsers which have this capability in- 
clude Netscape Navigator and Microsoft Internet Ex- 
plorer. The token 130 may be a smart card, a device 
with a Universal Serial Bus (USB), or other hardware 
token device capable of generating, storing, and/or us- 
ing PKI certificates. 

[0024] A user 1 32 is a person that uses or desires ac- 
cess to system architecture 100. User 132 may transi- 
tion through a number of states which include, for ex- 
ample, a new user, a current user, and a former user. A 
former user is no longer a member of the group or en- 
terprise. System architecture 100 is described with ref- 
erence to two levels of security with each level corre- 
sponding to a different security requirement. The 
number of the levels of security is not a limitation of the 
present invention. The level 1 search engine 134 may 
be a search engine that is permitted to search system 
architecture 100, but is allowed access to only level 1 
data which is the lowest level of security. Level 1 data 
may be, for example, data which is freely distributable 
whereas level 2 data may be considered to be proprie- 
tary. A Level 2 search engine 136 may be a search en- 
gine which is allowed to search both level 1 and level 2 
data. A Level N search engine (not illustrated) may be 
a search engine which is allowed to search through 
servers possessing Levels 1 through N data. 
[0025] A secured level server with Level 1 data may 
be a web server containing only level 1 data that is se- 
cured so that users may need to have level 1 access (at 
least) to access the level 1 servers. A secured web serv- 
er with level 2 data 140 may be a web server that con- 
tains level 2 data that has been secured so that users 
must have at least level 2 access to access the level 2 
servers. A user with level 2 access may have access to 
both level 1 and level 2 servers. A secured web server 
with level N data (not illustrated) is a web server that 
contains level N data which is accessible by users with 
level N or above. Users with level N or above access 
may have access to all levels of data up through level 
N data. 

[0026] VPN Extranet 1 42 may be a software applica- 
tion which functions as a network gateway, which as il- 
lustrated, may be either to legacy server 1 1 8 and legacy 
application 120 or to an external network such as the 
Internet. Personal revocation authority 144 may be one 
or more people that are in charge of revocation of mem- 
bers from system network 1 00. Personal registration au- 
thority 1 46 may be one or more people that are in charge 
of registration of members in system network 100. Per- 
sonal recovery approval 148 may be one or more people 
that are in charge of obtaining recovery of certificates. 
A Recovery Agent 1 50 may be one or more people that 
perform recovery of certificates and may only recover a 
certificate if the certificate has first been designated as 



recoverable by another person. Personal role approval 
152 may be one or more people that approve different 
role functions within the system network 100. A web 
server administrator may be one or more people that 
5 are in charge of various web functions in system network 
100. 

[0027] Fig. 3 shows a flow chart of an example proc- 
ess for generation of a signature certificate in a public 
key infrastructure according to an example embodiment 

io of the present invention. In this example embodiment, 
a company or enterprise that has a large number of em- 
ployees or individuals desires to generate digital signa- 
ture certificates for all of their employees or individuals. 
Once an individual is hired by the enterprise, or the in- 

15 dividual becomes apart of the group, the individual (new 
user) will need access to the servers and other resourc- 
es of the enterprise. Therefore, the new user data will 
be entered into an authoritative database S1 . The au- 
thoritative database contains information about all 

20 members of the enterprise. The member information in- 
cludes data necessary to send registration materials to 
new users, e.g., home and/or work addresses, email ad- 
dresses, telephone numbers, fax numbers, etc. The 
new user data entered into the authoritative database 

25 may be replicated into another directory database S2. 
The directory is structured to provide much faster ac- 
cess to the data than the authoritative database. Data 
in the directory is continually or periodically updated with 
the information in the authoritative database. 

30 [0028] The new user attempts to access a server that 
is part of the enterprise S3. An enterprise web server 
requests the new user provide a signature for access to 
the enterprise server S4. Si nee the new user has no sig- 
nature, the web server redirects the new user to a reg- 

35 istration web page S5. The new user identifies itself to 
the registration web page by providing an identification 
number (ID), e.g., employee ID, social security number, 
etc. The registration web server uses the identification 
information from the user to query the directory for new 

40 user information S6. The directory provides information 
about the new user to the registration web server S7. 
[0029] The registration web server now sends the 
new user a piece of information required to generate a 
new signature for the new user S8. This required infor- 
ms mation sent to the new user may be in the form of a per- 
sonal identification number (PIN), a password, etc. The 
registration web server sends a different piece of infor- 
mation , required to generate a new signature for the new 
user, to a personal registration authority S9. This second 

50 piece of information may also be in the form of a PIN or 
password. The PIN or password sent to the new user 
may be sent to the new user's home address, email ad- 
dress or work address. The PIN or password sent to the 
personal registration authority may be sent to the per- 

55 sonal registration authority's email address (in encrypt- 
ed form), work address or home address. The precise 
delivery mechanism is unimportant, provided that it is 
independent of the mechanism used to deliver the pass- 
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word to the user. Use of separate delivery mechanisms 
is designed to minimize the possibility of interception of 
the both pieces of registration information by a party oth- 
er than the new user. The personal registration authority 
delivers the second piece of information to the new user 
at a face to face meeting S10. It is preferred that the 
personal registration authority be a manager or super- 
visor of the new user, or another individual familiar with 
the identity of the new user. When this situation exists, 
the potential of an intruder fraudulently getting the sec- 
ond piece of information is eliminated. 
[0030] The new user now revisits the registration web 
page and provides the two registration pieces of infor- 
mation to the registration web server S11 . The registra- 
tion web server verifies the information as valid, and 
then signals a registration authority to register the new 
user S12. The registration authority signals the web 
browser, or other resource, on the client platform to gen- 
erate a private/public key pair S13. The public/private 
key pair may also be generated by a token or other de- 
vice, or other application, at the client platform or else- 
where, and still be within the spirit and scope of the 
present invention. The browser at the client platform (or 
other source) generates the key pair for the new user 
and sends the generated public key to a certification au- 
thority to be digitally signed S14. The certificate author- 
ity signs the certificate and sends the signed certificate, 
that includes the public key, to the directory S15. The 
new user now has a signature certificate whereby others 
can access the public key of the new user to verify doc- 
uments digitally signed by the new user with the private 
key of the new user. Once a certificate is generated for 
the new user, any PINs or passwords used in the gen- 
eration process may be no longer valid (i.e., they have 
a one time use). 

[0031 ] Digital signatures may be used in a number of 
ways. It is not necessary that digital signatures be im- 
plemented by encrypting an entire document. For exam- 
ple, a document sent from a user to a second person 
may be passed through a one way hashing algorithm to 
produce a smaller document, referred to as a digest. 
The digest is created by the user. The digest may be 
encrypted using the private key of the user. The user's 
private key serves as the user's (i.e., author's) private 
"signing key" to produce the document's digital signa- 
ture. The digital signature (i.e., encrypted digest) may 
be appended to the document and both sent to the sec- 
ond person. 

[0032] The second person (or any others) can then 
verify the digital signature on the document as being 
from the user by stripping the digital signature from the 
document and re-computing the hash function on the 
document to produce an "as received" digest. The sec- 
ond person may then access the user's public key from 
the directory. The second person uses the user's public 
key to decrypt the digest of the document as sent, and 
compare the decrypted digest to the as received digest. 
If the two digests match, the digital signature of the user 



is validated. If the two digests do not match, either the 
public key does not match the signer's (i.e., user's) pri- 
vate key, or the document has been modified since it 
was signed. 

5 [0033] System and methods for generation of a sig- 
nature certificate in a public key infrastructure according 
to the present invention is advantageous in that it pro- 
vides cost savings and improved security. Costs are 
saved in that the present invention reduces paperwork 

10 by incorporating an electronic process, shortens busi- 
ness process time lines since minimal amount of human 
intervention is required, and promotes remote collabo- 
ration amongst the members of the enterprise. Security 
is improved since eavesdropping is protected against, 

/5 spoofing is protected against, and a system according 
to the present invention authenticates a user identity, in- 
cluding hostile insiders. The advantages of the present 
invention are accomplished since manual processes 
that current PKI systems use have been replaced with 

20 automated processes that accomplish many of the 
same tasks. System and methods according to the 
present invention provide a very inexpensive mecha- 
nism for implementing a face to face meeting as a part 
of the new user registration process, therefore, provid- 
es jng improved security while at the same time not adding 
significantly to the cost of the system (e.g., labor costs). 
[0034] It is noted that the foregoing examples have 
been provided merely for the purpose of explanation 
and are in no way to be construed as limiting of the 

30 present invention. While the present invention has been 
described with reference to a preferred embodiment, it 
is understood that the words which have been used 
herein are words of description and illustration, rather 
than words of limitation. Changes may be made within 

35 the purview of the appended claims, as presently stated 
and as amended, without departing from the scope and 
spirit of the present invention in its aspects. Although 
the present invention has been described herein with 
reference to particu far methods, materials, and embod- 

40 iments, the present invention is not intended to be lim- 
ited to the particulars disclosed herein, rather, the 
present invention extends to all functionally equivalent 
structures, methods and uses, such as are within the 
scope of the appended claims. 

45 

Claims 

1 . A method for generation of a signature certificate in 
so a Public Key Infrastructure (PKI) comprising: 

sending a new user a first piece of information 
required for generation of a signature certificate 
for the new user; 
55 sending a personal registration authority a sec- 

ond piece of information required for generation 
of a signature certificate for the new user; 
delivering the second piece of information to 



6 



11 



EP1 162 781 A2 



12 



the new user by the personal registration au- 
thority in a face-to-face meeting; 
providing the first piece of information and the 
second piece of information to a registration au- 
thority by the new user; 
generating a key pair for the new user compris- 
ing a public key and a private key; 
providing the public key to a certification au- 
thority; and 

generating and digitally signing a signature cer- 
tificate for the new user by the certification au- 
thority. 

2. The method according to claim 1 , further compris- 
ing entering data about the new user into a data- 
base before the first sending. 

3. The method according to claim 2, further compris- 
ing replicating the new user data into a directory. 

4. The method according to claim 1 , further compris- 
ing querying a database for new user information 
by a registration authority before the first sending. 

5. The method according to claim 4, wherein the da- 
tabase comprises a directory. 

6. The method according to claim 1 , further compris- 
ing registering the new user by the registration au- 
thority after the providing. 

7. The method according to claim 1 , further compris- 
ing sending the signed signature certificate to a da- 
tabase after the digitally signing the signature cer- 
tificate. 

8. The method according to claim 7, wherein the da- 
tabase comprises a directory. 

9. The method according to claim 7, further compris- 
ing accessing the database by a second user to ac- 
cess the signature certificate of the new user. 

10. The method according to claim 9, further compris- 
ing verifying a digital signature of the new user 
based on the signature certificate. 

11. The method according to 10, wherein the verifying 
comprises: 

generating a digest by executing an algorithm 
on a document by the new user; 
generating a digital signature by encrypting the 
digest using the private key of the new user; 
sending a document from the new user to the 
second user; 

receiving the document from the new user by 
the second user, the document having the dig- 



ital signature appended to the document; 
using the public key referenced in the signature 
certificate of the new user to decrypt the ap- 
pended digital signature; 
s generating a received digest by executing the 

algorithm on the received document by the sec- 
ond user; and 

verifying the digital signature of the new user 
by comparing the decrypted digital signature 
w with the received digest. 

12. The method according to claim 1 , further compris- 
ing generating the key pair at a platform of the new 
user, the platform providing the public key to the cer- 

15 tification authority. 

13. The method according to claim 1 , wherein the first 
sending and the second sending are performed by 
the registration authority. 

20 

14. The method according to ciaim 1 , wherein the reg- 
istration authority comprises an application on a 
server. 

25 15. The method according to claim 1 , further compris- 
ing sending the first piece of information to a home 
address of the new user. 

16. The method according to claim 1 , further compris- 
30 ing storing the public key and the private key on a 

token. 

17. The method according to claim 16, wherein the to- 
ken comprises a smart card. 

35 

18. The method according to claim 16, wherein the to- 
ken comprises a device with a Universal Serial Bus 
(USB) interface. 

40 19. The method according to claim 1 , wherein the sig- 
nature certificate comprises information identifying 
at least one of the new user, the public key, the pe- 
riod of time that the certificate is valid, the algorithm 
used to generate the public key, and the public key 

45 length. 

20. A method for generation of a signature certificate in 
a Public Key Infrastructure (PKI) comprising: 

so enterin g data about a new user into a database; 

requesting access to an enterprise server by 
the new user; 

querying the database for new user information 
by a registration authority; 
55 sending a new user a first piece of information 

required for generation of a signature certificate 
for the new user; 

sending a personal registration authority a sec- 
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ond piece of information required tor generation 
of a signature certificate for the new user; 
delivering the second piece of information to 
the new user by the personal registration au- 
thority in a face-to-face meeting; 
providing the first piece of information and the 
second piece of information to a registration au- 
thority by the new user; 
registering the new user by the registration au- 
thority; 

generating a key pair for the new user compris- 
ing a public key and a private key; 
providing the public key to a certification au- 
thority; 

generating and digitally signing a signature cer- 
tificate for new user by the certification author- 
ity; and 

sending the signed signature certificate to the 
database. 

21 . The method according to claim 20, further compris- 
ing requesting a user signature from the new user 
after the requesting, the user signature requested 
by a web server. 

22. The method according to claim 21 , further compris- 
ing redirecting the new user to a registration web 
page if the new user has no user signature. 

23. The method according to claim 20, further compris- 
ing sending the first piece of information to a home 
address of the new user. 

24. The method according to claim 20, further compris- 
ing sending the second piece of information to a 
work address of the personal registration authority. 

25. The method according to claim 20, further compris- 
ing sending the second piece of information to an 
email address of the personal registration authority. 

26. The method according to claim 20, wherein the sig- 
nature certificate comprises information identifying 
at least one of the new user, the public key, the pe- 
riod of time that the certificate is valid, the algorithm 
used to generate the public key, and the pubic key 
length. 

27. An article comprising a storage medium having in- 
structions stored therein, the instructions when ex- 
ecuted causing a processing device to perform: 

querying a database for new user information; 
sending the new user a first piece of information 
required for generation of a signature certificate 
for the new user, 

sending a personal registration authority a sec- 
ond piece of information required for generation 



of a signature certificate for the new user; 
receiving the first piece of information and the 
second piece of information from the new user; 
registering the new user; and 
5 signaling aclient platform to generate a key pair 

for the new user comprising a public key and a 
private key. 

28. An article comprising a storage medium having in- 
fo structions stored therein, the instructions when ex- 
ecuted causing a processing device to perform: 

receiving a public key from a user; 
generating a signature certificate for the user; 
15 digitally signing the signature certificate; and 

sending the digitally signed signature certifi- 
cate to a database. 

29. A system for generating a signature certificate in a 
20 Public Key Infrastructure (PKI) comprising: 

at least one server operabty connected to a net- 
work; 

a database operably connected to the network, 
25 the database containing information on at least 

one user; 

a directory operably connected to the network, 
the directory containing the same information 
as the database but providing faster access to 

30 the information; 

at least one client platform operably connected 
to the network, the at least one user requesting 
access to the at least one server from the at 
least one client platform; and 

35 a registration web server operably connected 

to the network, the registration web server 
sending the new user a first piece of information 
required for generation of a signature certificate 
for the new user and sending a personal regis- 

40 tration authority a second piece of information 

required for generation of a signature certificate 
for the new user, and 

wherein the second piece of information is de- 
livered to the new user by the personal regis- 

45 tration authority in a face-to-face meeting, the 

first piece of information and the second piece 
of information being used by the new user in a 
process for generation of public and private 
keys and a signature certificate for the new us- 

so er. 

30. The system according to claim 29, further compris- 
ing a registration authority application residing at 
one of the at least one servers, the registration au- 
55 thority application registering the new user based 
on the new user supplying the first piece of informa- 
tion and the second piece of information to the web 
server, the registration authority application in- 
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strutting an application at the client platform to gen- 
erate the public and private keys for the new user. 

31 . The system according to claim 29, further compris- 
ing a certificate authority application residing at one s 
of the at least one servers, the certificate authority 
application receiving the public key and generating 
and digitally signing a signature certificate for the 
new user. 

10 

32. The system according to claim 29, further compris- 
ing a token, the token being connectable to the at 
least one client platform, the token storing the public 
and private keys of the new user. 

is 
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